401 if AppPool is not Network Service

My setup:
Windows 2003 Servers, IIS 6.0. There have almost certainly been
adjustments to the configuration performed by the IT group that
provisions these, but I don't have complete details on what they did.
Visual Studio 2003, .NET 1.1.

I created two web services, Ping and PingAuth. I put both applications
into the same App Pool, named PingPool. In IIS, I allow anonymous users
to access Ping, but only Integrated Windows authentication allowed to
PingAuth.

In both Ping and PingAuth's web.config files, I set:
<authentication mode="Windows" />
<authorization><allow users="*" /></authorization>
<identity impersonate="false" />

(I know that impersonation defaults to false, but just so you can see
it...)

I am in the Administrators group on the IIS 6 box.

Here's the scenario. If I use IIS 6 to set the identity for the
application pool (PingPool) to a domain account (a faceless service
account, in my test), then, even if I do not access any other resources
(not even on the same box), I get a 401 error on the PingAuth service,
even when I just try to open the project in Visual Studio or browse to
the Service1.asmx page. IE will present a login dialog, but even if I
supply my proper credentials, it will not log me in. Similarly, a web
service client proxy fails to access the web service. I do not get a
401 error on the anonymous-enabled project, Ping.

However, if I reset the PingPool application pool's identity to Network
Service, and then change the web.config files for both Ping and
PingAuth to impersonate the service account, everything runs
beautifully. Only authenticated users are allowed in, and I can
identify them properly using Context.User or Thread.CurrentPrincipal,
while WindowsIdentity.GetCurrent() identifies the impersonated service
account.

Is there a Windows 2003 privilege that I need to set for the service
account so that I can set it to be the identity of the application
pool? I'd rather not have the password for the service account hanging
around in the web.config file, nor stored in the source code, and I'm
too lazy to mess with storing it securely in web.config or in code,
when just setting the application pool identity should work.

TIA,
->Alan

.

Relevant Pages

  • Re: Cannot view SSI on IIS
    ... > We have a Windows 2000 Server running IIS. ... enable auditing on the server and then enable file ... How to set secure NTFS Permissions on IIS directories and log files - ... IWAM_computername account instead of the IUSR_computername account. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS and ASP.NET authentication
    ... IIS uses either its built in account or the account which is set in console ... That means account still exists in Windows. ... That means it is doing authentication. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Digest Authentication
    ... Seems like either IIS is using the wrong user account -or- IIS doesn't have ... you do not need Script Source or Write permissions unless you ... And basic authen..and integreted windows ...
    (microsoft.public.inetserver.iis)
  • Re: Login failed for user (null). Reason: Not associated with a trusted SQL
    ... the user that IIS is logging on as, ... if you do not want the user's Windows credentials to flow back to SQL ... a domain account, and grant that domain account sufficient privileges in SQL ... >> Windows Authentication, but I don't know whether you are using ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Slow DNS response to Ping
    ... It seems Windows Update is wrecking some havoc amoung ... Since his was a, sort of, machine account he didn't have to ... 2K3 servers and a Linux server. ... Ping statistics for 209.131.36.158: ...
    (microsoft.public.windowsxp.network_web)
Quantcast